Skip to content
Cloudflare Docs

Managed rules

WAF Managed Rules allow you to deploy pre-configured managed rulesets that provide immediate protection against:

  • Zero-day vulnerabilities
  • Top-10 attack techniques
  • Use of stolen/exposed credentials
  • Extraction of sensitive data

These managed rulesets are regularly updated. Each rule has a default action that varies according to the severity of the rule. You can adjust the behavior of specific rules, choosing from several possible actions.

Rules of managed rulesets have associated tags (such as wordpress) that allow you to search for a specific group of rules and configure them in bulk.

Managed rulesets

Cloudflare provides the following managed rulesets in the WAF:

The following managed rulesets run in a response phase:

Availability

The managed rulesets you can deploy depend on your Cloudflare plan.

Free Pro Business Enterprise

Availability

Yes

Yes

Yes

Yes

Free Managed Ruleset

Yes

Yes

Yes

Yes

Cloudflare Managed Ruleset

No

Yes

Yes

Yes

Cloudflare OWASP Core Ruleset

No

Yes

Yes

Yes

Cloudflare Exposed Credentials Check

No

Yes

Yes

Yes

Cloudflare Sensitive Data Detection

No

No

No

Yes

Customize the behavior of managed rulesets

To customize the behavior of managed rulesets, do one of the following:

  • Create exceptions to skip the execution of WAF managed rulesets or some of their rules under certain conditions.
  • Configure overrides to override the default rule action or disable one or more rules of managed rulesets. Overrides can affect an entire managed ruleset, specific tags, or specific rules in the managed ruleset.

Exceptions have priority over overrides.

Cloudflare DashboardDiscordCommunityLearning CenterSupport Portal